The general flow of the scan is as follows (for an unauthenticated scan):

- Determine that the host is alive

- Port scan to see what's open

- Service identification against the open ports

- Stack fingerprinting

- Vulnerability checks

As QualysGuard uses an adaptive scan engine, we'll only launch the vulnerability checks that are appropriate for the detected operating system and services. That being said, you can certainly trim down your option profile to make it more minimalistic (for example, if you know that only a few specific ports are open, you can limit the port scanning to those ports).

- Service identification: how does Qualys do this? Based on the banners/type of ports that found opened/ or does it do more in-depth analysis by sending payload and compare to the database in Qualys Cloud?

-Stack fingerprinting/OS detection: similarly to the above how does Qualys do this?

Service Identification: Once a port is found to be open, QualysGuard will actively probe the underlying service. For example, if port 80 is found to be open, we don't simply rely on what IANA says should be on that port.

Using IANA is a guideline, we start out by sending an HTTP GET request to the port. If we receive a well-formed response, then we know that it's actually a web-server. If not, then we send it a different request, and so on, until we receive a well-formed response.

OS Identification: There's some information here and here. As far as pure stack fingerprinting goes, Qualysguard sends 5 different TCP packets (with various options set) and measures the received responses (e.g., what's the default TTL in the response, how many times is the DF bit set, etc).